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ABSTRACT 


With the growing usage in the field of IoT (Internet of Things), cyber threats and malicious activities are also at their peak. 
Widening in the utilization of the Internet of Things (IoT) has raised awareness of security and has become a major 
concern of many IoT users. For the smooth working of IoT networks, it is essential to protect devices from malicious 
activities. For security purposes, an advanced Intrusion Detection System (IDS) is required. In this paper, we discussed 
approaches of IDS and different datasets. Later on, IDS types on the basis of application are discussed with their 
limitations. For future assessment, current challenges faced by IDS of IoT are discussed. An ID plays a pivotal role in IoT 


by discovering and repealing malicious activity for lag-free service networks. 
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INTRODUCTION 


Internet of Things (IoT) is an automation-related field, it majorly runs without human interactions. It is a group of 
connected devices like sensors, actuators, CCTV, and other devices (smart devices) which are used in industrial 
applications, smart homes, smart cities, and other IoT applications. The vital part of any system is to provide undisrupted 


service ensuring a high level of security by maintaining Integrity, confidentiality, and availability [1]. 


IoT devices are connected through wireless or wired systems as they contain many devices in the same 
network. Third-party usage of devices makes them vulnerable to an attacker. IoT mainly contains two types of 
application methods, Centralized IoT and Distributed IoT. In centralized IoT, all the devices are controlled from one 
device, while distributed IoT operates at each node individually. However, both systems are vulnerable to unauthorized 
access by intruders. To prevent the network from the malicious activity, an Intrusion detection system is installed on the 
system which monitors traffic and filters the packages called a firewall [2]. Intrusion Detection Systems are 
implemented for abnormal behaviour and troubleshoot online threats, malware attacks, and kinds of intrusions to 
safeguard single devices/networks. fig1. refers to the procedural IDS on IoT networks. which starts with a knowledge- 
based dataset. training procedures take place in order to obtain efficiency during testing time. If Detection systems refer 
to any abnormal behaviours in Packets it sends them to the Intrusion prevention Model (IPS), which generate alarm and 
also drop the packages. In recent years many researchers do not use standard benchmarked datasets. Instead, they prefer 


data traffic packers of the live systems in order to have the latest traffic patterns. 
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In this paper, Sec 2. provides works of literature we studied, onwards in Sec 3. includes approaches of IDS in IoT. 
In Sec 4. different Datasets are listed in brief. Moreover, Sec 5. shows types of IDS in IoT. Sec 6. describes challenges 


recent IDS systems are facing. To sum up Sec 7. and Sec 8. has conclusion and bibliographies likewise. 
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Figure 1: IDS Working on IoT. 


LITERATURE REVIEW 


Intrusion Detection System (IDS) in IoT decodes every packet transmitting and verifies if it is free of malicious activity 
anomalous behaviour for smooth smart device interactions. The researchers implemented an alert system in sound, 
whenever suspicious activity takes place. They used a deep learning algorithm to implement a system, in order to verify 
system performance they used the KDD Cup 99 dataset. Implementation was divided into two categories Intrusion 
Detection System (IDS) and Intrusion Prevention System (IPS), with batch processing computation they achieved 91.4% 
accuracy. Researchers found issues in the privacy of IoT networks [3]. To overcome this problem advanced authenticated 


technologies are required. 


The researchers in [4] designed a mutual authentication scheme that analyzes outdoor and indoor resilience. A 
proposed method is efficient in detecting Relay attacks, Men In The Middle (MITM) attacks and quality attacks. They 


concluded that sophisticated protocols on integrity enable better security on IoT networks. 


The proposed research in [5] uses a machine learning approach Bayesian Network which is a probabilistic graphical model 
for representing knowledge about an uncertain domain where each node corresponds to a random variable and each edge 
represents conditional probability corresponding to a random variable. The method uses a query-based intrusion detection 


system, which requires improvements in the authentication of IDS in Signature-Based Detection (SBD). 


[6 - 7] Studied mobile ad-hoc network-based smart IDS to monitor security as they used Artificial Neural 
Network (ANN). They indicated the importance of classification in Intrusion Detection (IDS). The developed models are 


effective in detecting Boat, rare attacks, DoS, and probing. 


Wifi-enabled IoT smart devices of smart homes are used to design IDS. Researchers developed Received Signal 
Strength Indicator (RSSD dependent on an identification router that analyzes and visualizes whole-home security. The final 


results show astounding accuracy in detection rate [8]. 
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The authors of this paper Implemented IDS in edge routed systems which include DoS attack analysis, edge 
network intrusion detection, and edge node cloud security and related systems. SDMMEF single-layered Min-max fair 


allocation scheme is utilized. In this study, multi-layer resource allocation is stated effectively [9-10]. 


Analysts of [11] identified Intrusions in a real-time environment and Network Functional Virtualization (NFV) 
which is a new working standard. They highlighted imbalance classification using Supervised Machine Learning (SML) 


algorithms. In more environments changing, cloud models require more security protocols. 


The proposed model in [12] deals with challenges in intrusion detection systems in terms of computation 
efficiency and time, privacy conservative authentication, and power utilization. Additionally, deep information gathering 


research overlap issues are discussed. 


APPROACHES OF IDS ON IOT 


IDS approaches on IoT are three first is centralized IDS, Distributed IDS and Hybrid IDS. IDS are selected on the basis of 


IoT’s application. 
Centralized IDS 


Centralized IDS (CIDS) is interdependent on traffic patterns and smart devices. This system contains logs of all IoT 
devices in the network and all transmission among all packages. CIDS is cost-effective to implement as it is installed on 
one main device that regulates all the smart devices [13]. CIDS are efficient in sensor networks due to the centralised 
control system. The main components of CIDS are data collection and central analyzer for performance analysis. 
Distributed data are collected throughout all connections that are correlated. CIDS has a less complex architecture 
compared to Distributed IDS (DIDS). Although, one system failure can lead to compromise of all connected device 


connections in IoT. As figure 2. shows local agents of IDS are part of the main IDS(Global Detection logic). 


The whole system is maintained and updated through a centralized unit that regulates the system logs and keeps 
track of all records. As all the procedures of IDS appear in IDS agents to Central IDS agents it is more time consuming 


than DIDSs. 
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Figure 2: Central Ids Architecture [14]. 
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Distributed IDS 


DIDS is divided into every single node with separate monitoring among all smart devices for detecting malicious activity 
and abandons it from affecting nodes. Possibly in some cases, intruders gain success to exploit one node, hence in those 
cases compromise of one node did not lead to whole network compromise. Hence, it is safer than CIDS in a practical 
approach. Still, it contains complex and hazardous configurations in the implementation. Additionally, as it should be 
installed on each node of the IoT network might increase the prices of development. However, it provides better scalability 
throughout the system. Also, less detection time is required to check transmitting packages. Fig 3. refers to the architecture 


of smart home smart devices regulations. 
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Figure 3: Distributed IDS in Smart Homes [15]. 


Hybrid IDS 


For maximising safety and reducing the cost-effectiveness with compatible computation timing of IDS. The above two 
approaches CIDS and DIDS are used in the combined manner for many systems. Recent IoT systems are majorly working on 


HIDS according to the risk factors of smart devices. HIDS is the most effective proven approach as it contains cost management, 


detection time reduction than CIDS and also it is less complex than DIDS. figure 4. refers to the Advantages of HIDS. 
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Figure 4: Merits of Hybrid IDS Approach. 
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DATASETS 


Recently, many datasets have started to be generated from the regular traffic of server requests, although the standard 
datasets with respect to anomaly and misuse are discussed in this paper. the benchmark datasets which are used for IDS 


standards since 1999 [16]. 
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KDDCup99 


KDDCup99 is an updated version of DARPA dataset which was the first benchmark dataset for intrusion detection. The 
Mining Audit Data of Model Automated for ID (MADMAID) framework was utilized for feature extraction in raw TCP 
dump data. The detailed datasets are enlisted in Table 1. A dataset is captured with 41 features and 5 classes. These 
features are divided into basics, content and Time-based traffic features [17]. The basic feature does not use payloads; 
instead it is extracted from TCP segments and UDP datagram. Basic features contain only headers files of normal classes, 
while content features have a full payload of TCP/IP. Content feature specifically used to identify ‘R2L’ and ‘U2R’ types 
of attacks [18]. Time-based features are narrow bandwidth of two seconds from ‘same host’ and ‘same service’ 
connections. Connection-based and host-based traffic are featured in a time-based feature- extractions. KDDCup99 training 


set has 494,021 connections likewise testing contains 311,029 network connections [19]. 


Table 1: KDD Cup 99 and NSL-KDD’s Comparisons 


Connections Explanation KDDCup99 = kDDCup99 NSL-KDD NSL-KDD 

Training Testing raining ‘Testing 

Normal Usual connections YF278 60,393 67,343 QFN 

DoS Network jamming allacks 391,458 229,853 45,927 7,458 

Probe Configuration information gathering 4,107 4,166 11.656 2.422 
attacks 

ROL Illegal access from a remote computer 1,126 16,189 995 2.887 

U2R Being a root user gaining super-user §2 338 52 67 

ACCCss 

Total - 494,021 311,029 125,973 22,544 


CAIDA 


This dataset was developed from Denial of Service (DoS) and Distributed Denial of Service(DDoS) intrusions from regular 
traffic traces in 2007. Attacks of DDos and DoS are made for service disruption as the router has limited request handling 
capacity, they try to exceed the capacity to disrupt the service. This dataset does not have a variety of intrusions, hence 
solely it is not an ideal dataset to evaluate models of robust IDS [21]. Additionally, it does not have a whole traffic feature, 


a partial feature makes it difficult to distinguish between malicious behaviour or normal behaviour in IoT. 
UNSW-NB15 


The Cyber Security research team of Cyber range lab in Australia used [IXIA PerfectStorm tool to collect traffic data and 
named UNSW-NBI1S5. The classification of this dataset is Normal and other 9 types of malicious traffic. In this scientists 
have exceeded target classes to avoid model bias towards normal traffic. More number records are included in the 42 
features and different measures added are flow, Basic, Content, Time, and generalization. TCP dump tool used for 
capturing network packet traces and contained 100GBs data and divided into 100 MB using the same tool. The final 


connection and malicious connections are shown in table 2. 
CICIDS2017 


Recently, many researchers started to use this data set due to the latest benchmarked dataset for their IDS models. 
CICIDS2017 dataset contains benign and most up-to-date common attacks, which resembles the true real-world data. It 


also includes the results of a network traffic analysis using CiCFlow Meter with labelled flow based on the timestamp, 
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source, destination IPs, source and destination ports, protocols, and attack. Table 3. shows CICIDS2017 detailed 


connections. 


Table 2: Training and Testing UNSW-NB15 Dataset 


Conncctions Trining Testing 

Normal 56,000 37,000 
Intrusions 37,500 8,519 
Total 93,500 28,481 


TYPES OF INTRUSION DETECTION ON IOT 


Network Oriented Intrusion Detection 


Network Oriented Intrusion Detection (NOID) is evolved in network nodes for detecting and regulating traffic. The 
working of NOID is checking for malicious activities and whenever it is detected, it directly sends an alert to the 
administration. In simple methodology how a firewall blocks suspicious applications in our personal computer the same 


way, the NOID works at traffic diversion nodes. And every node of traffic contains NOID for safe loT working. 
Host Oriented Intrusion Detection 


The host here is considered as a singular device of an IoT network. That makes Host Oriented Intrusion Detection (HOID) 
devices with their private firewalls distinguished from centralised IDS. HOID takes records and checks of secure 
management of the device it is oriented to. In some malicious activity related to a single host becomes an open door to 
intruders to exploit the whole system as IoT all devices are co-connected throughout the network. Attacks like Worms are 
required to be initiated in only one system and globally it spreads through the whole system. Additionally, it does not 
require any human interaction once it is installed it goes multiplied by itself. HOID not only monitors online traffic it also 
monitors system cells, the current procedure, file updations, background procedure, and application logs. It also changes 


command lines if anonymous behaviours are detected in the system or IoT device. 


Table 3 Training and Testing CICIDS2017 Dataset 


“Connections ——s—s—=—<“—t*~is*é‘s*s*~*~*~*~”*Spdnmnfion— s—i(‘<‘éSOSO;*;*;*;*;*;~;*Ynig©=— Testing 
Normal \Jsual connections 560M) 370MM 
Fuvvers Spams, HTMT. files penetration and port scans relevent attacks 18,184 6,062 
Analysis Port sean, ITIML relevant attacks 2,000 677 

Backdoors Evading trom background security 1,746 $83 
Dus Network jamuning Attacks 12.264 
Exploits Security hole observation for futuce exploits 33,303 
Generic Riock-cipher relevant attacks 400) 
Reconnaissance Vulnerability Gathering 10,491 3,496 
Shellcode Section of a program used for exploitation 1.133 37% 
Worms Aulosnuiiliable virus 130 -+ 
Tulal 93,500 28,481 


Protocol Oriented Intrusion Detection 


This type of Intrusion detection is inbuilt in front-end servers for saving server systems from being compromised and 


avoids disruption of service. Protocol Oriented Intrusion Detection (POID) is crucial for checking protocol interruptions 
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between requested devices and servers. POID mostly checks the regulations of HTTP protocols. Major applications of the 


POID are related to web servers of IoT. 
Application Oriented Intrusion Detection 


Application Oriented Intrusion Detection (AOID) is also called Cloud Oriented Intrusion Detection (COIS). The AOID are 
multiple servers configured for the detection method that monitors all logs of the cloud-based system [22]. Whenever 
malicious activity is being noted in servers it blocks specific servers and sends a notification to the administrator of the 
system. As cloud computing is an inevitable part of loT, AOID is a necessity of multi configured servers for smooth IoT 


running. 
Perimeter Oriented Intrusion Detection 


A Perimeter Oriented Intrusion Detection (POID) located on the main server comes with electronic or fiber optics devices 
like the digital perimeter. Which is sensible towards detecting disturbances. Whenever it senses some malicious attempt on 
the system it triggers an alert alarm. POID is also being considered as the first line of defence methodology throughout 


servers. Moreover, it is simply installed in devices without any critical procedures. 
Hybrid Oriented Intrusion Detection 


As IoT is not limited to only devices and servers that created requirements of robust Intrusion Detection. Combining types 
of detection methodologies provides a solution to security over multiple devices at the same time. However, Hybrid 


Oriented Intrusion Detection is not in the application for real-time intrusion detection. 
CHALLENGES 


Advanced IDS requires an understanding of current approaches of IoT, IDS and their united architecture. To enhance the 
robustness of IDS, the current system’s challenges are a must to overcome. We classified challenges into three categories: 


Multi-Layer attacks, Device protection and Data Collection. 
Multi-layer Attacks 


In layer attack, it consists of four types of attack: Perception, Network, Support and Application. Due to the advancement 
of detection methodologies, singular layer corresponding attacks are majorly blocked by IDS and IPS. To have 
advancement in malicious activities hackers started using multi-layer attacks to have success in breaching nodes. The 


major research only focuses on single-layer detections. 
Device Protection 


To safeguard networks in IoT devices, it requires all the devices protected from attackers. Sometimes the credentials 
information violations result through people in the network in order to gain some financial or other sums in exchange. This 


is a serious matter that smart devices of IoT are handling. 
Data Collection 


All the research experimentation appears on the data available through specific networks and datasets. As emerging 
technologies new benchmarked datasets are required for experimentation. Also taking traffic packets from a singular kind 


of device does not contain all area traffic patterns. Hence data gathering is a critical area for researchers. 
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CONCLUSIONS 


From individuals to huge organizations, all use services of IoT and expect to have a secure allocation of their information. 
As there is increasing malicious activity even though network detection methodologies are also improving simultaneously. 
In this paper, we started with a basic architecture of loT approaches which are Centralized, Distributed and Hybrid. Also, 
hybrid architecture has more merits over both singular methods. Then we discussed literature studies. Onwards, 
benchmarked datasets and we enlisted recent types of IDS on IoT. Issues that are faced by current IDS in IoT are also 
listed. Nowadays Intrusion detection systems are efficient in dealing with known attacks still, unknown attacks is a 


complicated procedure as limited data sources for experimentations. 
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